Daira-Emma Hopwood

~It appears as though the current draft has a bug, because the "payload" doesn't include the recipient address, and therefore a relying party doesn't have enough information to recompute the...

The draft needs to be updated for Sapling.

Josh and I recommend updating this for Sapling, and leaving payment disclosures undefined and unimplemented for Sprout.

Also Appendix A.4 says that $\mathsf{nk}$ needs to be on the curve, when it is already checked to be $[\mathsf{nsk}] \mathcal{H}$.

[Section 3 of the Curve25519 paper](https://cr.yp.to/ecdh/curve25519-20060209.pdf) is relevant: > **Choice of key-derivation function.** There are no theorems guaranteeing the safety of any particular key-derivation function H with, e.g., 512-bit output....

(Both are too small; the x-height should match the surrounding text. But this ticket is about the inconsistency between reloads.)

> * Just make the text stand out somehow then indicate which protocol in the margins. This is possible using the [changebar](https://ctan.org/pkg/changebar) package (or maybe the [mdframed](https://ctan.org/pkg/mdframed) package). I'll see...

It's possible for paragraphs, but I don't know how to apply this within sentences, and it would be difficult to integrate with the existing macros. I was hoping to be...

The behaviour of `nLockTime` is exactly as it was in the version of Bitcoin core we forked from (0.11.2). Sorry for the lack of documentation. `nLockTime` is orthogonal to `nExpiryHeight`;...

Agreed that the transparent pool should be treated in the same way as shielded pools by this policy. It also has significant cryptographic risks, a high technical debt burden, and...